Overview
Air-gapped signing is a security practice where Bitcoin transactions are signed on a device that has never been and will never be connected to the internet or any other network. The "air gap" refers to the physical separation between the signing device and any networked computer. This approach provides the strongest possible protection against remote attacks, malware, and supply chain compromises, because even if the online computer is fully compromised, the attacker cannot access the private keys on the isolated signing device.
The challenge of air-gapped signing is bridging the gap: the unsigned transaction must be transferred to the offline device, and the signed transaction must be transferred back to the online computer for broadcasting. This is accomplished using Partially Signed Bitcoin Transactions (PSBTs), which provide a standardized format for passing incomplete transactions between devices via QR codes, SD cards, or NFC.
How Air-Gapped Signing Works
┌─────────────────────────┐ ┌─────────────────────────┐
│ ONLINE COMPUTER │ │ AIR-GAPPED DEVICE │
│ (watch-only wallet) │ │ (signing device) │
│ │ │ │
│ 1. Build unsigned tx │ │ │
│ (PSBT) │ │ │
│ │ QR / │ │
│ 2. Export PSBT ─────────│──SD card─│──► 3. Import PSBT │
│ │ │ │
│ │ │ 4. Review tx details │
│ │ │ - Amount │
│ │ │ - Destination │
│ │ │ - Fee │
│ │ │ │
│ │ │ 5. Sign with │
│ │ QR / │ private key │
│ 7. Import signed tx ◄──│──SD card─│──◄ 6. Export signed PSBT │
│ │ │ │
│ 8. Broadcast to │ │ Private keys NEVER │
│ Bitcoin network │ │ leave this device │
└─────────────────────────┘ └─────────────────────────┘
│ │
Connected to No network
the internet connection
ever
Transfer Methods
The unsigned and signed transactions must cross the air gap through a physical medium:
| Method | Security | Convenience | Devices |
|---|---|---|---|
| QR codes | Very high | High | Coldcard Q, SeedSigner, Keystone |
| MicroSD card | High | Medium | Coldcard, Jade |
| NFC | Moderate | High | Some newer hardware wallets |
| USB (data only) | Lower | High | Defeats some air-gap benefits |
QR codes are generally considered the most secure transfer method because they are human-inspectable (the data is visible and bounded), unidirectional, and cannot carry executable code. Animated QR codes handle the size limitations of single QR codes by splitting the PSBT across multiple frames.
Air-Gapped Devices
Several hardware and software options support air-gapped signing:
- Coldcard: A dedicated hardware wallet designed from the ground up for air-gapped operation. Uses a MicroSD card or QR codes (on the Q model) for PSBT transfer. Features a secure element and tamper-evident casing.
- SeedSigner: An open-source, stateless signing device built on a Raspberry Pi Zero. Uses QR codes exclusively. Does not store keys — the seed must be re-entered or scanned each session.
- Keystone: A hardware wallet with a large touchscreen and QR-based air-gapped signing.
- Air-gapped laptop: A dedicated computer running a signing-only OS (such as Tails) that has had its Wi-Fi, Bluetooth, and networking hardware physically removed or disabled.
Combining Air-Gapped Signing with Multisig
Air-gapped signing becomes even more powerful when combined with multisig. In a 2-of-3 multisig setup, each signing device is air-gapped and stored in a different location. The PSBT is passed from device to device (physically or via QR codes), collecting signatures until the threshold is met:
┌──────────┐ PSBT ┌──────────┐ PSBT ┌──────────┐
│ Device A │ ───────────► │ Device B │ ──────────► │ Online │
│ (Sign 1) │ (1 of 2 │ (Sign 2) │ (2 of 2 │ Wallet │
│ Location │ sigs) │ Location │ sigs) │ │
│ Alpha │ │ Beta │ │ Broadcast│
└──────────┘ └──────────┘ └──────────┘
This provides defense in depth: even if one signing device is compromised, the attacker cannot spend funds without also compromising a second device at a different location.
Security Considerations
Air-gapped signing is not a silver bullet. Users should be aware of:
- Supply chain attacks: If the signing device is compromised before the user receives it, the air gap does not help. Verifying firmware authenticity and using open-source hardware mitigates this risk.
- Side-channel attacks: A physically proximate attacker could theoretically extract information through electromagnetic emissions, power analysis, or acoustic signals. Secure elements in hardware wallets are designed to resist these attacks.
- Verify on the device: Always verify the transaction details (recipient address, amount, fee) on the signing device's screen, not on the online computer. A compromised online computer could display a different transaction than what it actually constructed.
- SD card malware: While SD cards cannot directly attack an air-gapped device's signing process, a malicious SD card could exploit firmware vulnerabilities. Using QR codes eliminates this vector entirely.
Related Concepts
- Cold Storage — the broader category of offline key storage that air-gapped signing exemplifies
- Hardware Wallet — dedicated devices commonly used for air-gapped signing
- Partially Signed Bitcoin Transaction — the standardized format for passing transactions across the air gap
- Multisig — often combined with air-gapped signing for maximum security
- Key Pair — the private key that never leaves the air-gapped device